package org.wso2.carbon.identity.application.authentication.framework.handler.request.impl;

import java.io.IOException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Iterator;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticatorStateInfo;
import org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade;
import org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig;
import org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig;
import org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig;
import org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthHistory;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.context.SessionContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
import org.wso2.carbon.identity.application.authentication.framework.exception.LogoutFailedException;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserSessionException;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.LogoutRequestHandler;
import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceDataHolder;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedIdPData;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult;
import org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthResponseWrapper;
import org.wso2.carbon.identity.application.authentication.framework.store.UserSessionStore;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.common.model.ServiceProviderProperty;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.core.URLBuilderException;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;

/* loaded from: input_file:org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/DefaultLogoutRequestHandler.class */
public class DefaultLogoutRequestHandler implements LogoutRequestHandler {
    private static volatile DefaultLogoutRequestHandler instance;
    private static final String LOGOUT_RETURN_URL_SP_PROPERTY = "logoutReturnUrl";
    private static final String ENABLE_VALIDATING_LOGOUT_RETURN_URL_CONFIG = "CommonAuthCallerPath.EnableValidation";
    private static final String DEFAULT_LOGOUT_URL_CONFIG = "CommonAuthCallerPath.DefaultUrl";
    private static final Log log = LogFactory.getLog(DefaultLogoutRequestHandler.class);
    private static final Log AUDIT_LOG = CarbonConstants.AUDIT_LOG;

    public static DefaultLogoutRequestHandler getInstance() {
        if (log.isTraceEnabled()) {
            log.trace("Inside getInstance()");
        }
        if (instance == null) {
            synchronized (DefaultLogoutRequestHandler.class) {
                if (instance == null) {
                    instance = new DefaultLogoutRequestHandler();
                }
            }
        }
        return instance;
    }

    @Override // org.wso2.carbon.identity.application.authentication.framework.handler.request.LogoutRequestHandler
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws FrameworkException {
        AuthenticatorFlowStatus process;
        if (log.isTraceEnabled()) {
            log.trace("Inside handle()");
        }
        SequenceConfig sequenceConfig = authenticationContext.getSequenceConfig();
        SessionContext sessionContextFromCache = FrameworkUtils.getSessionContextFromCache(authenticationContext.getSessionIdentifier(), authenticationContext.getLoginTenantDomain());
        clearUserSessionData(httpServletRequest);
        if (FrameworkServiceDataHolder.getInstance().getAuthnDataPublisherProxy() != null && FrameworkServiceDataHolder.getInstance().getAuthnDataPublisherProxy().isEnabled(authenticationContext) && sessionContextFromCache != null) {
            Object property = sessionContextFromCache.getProperty(FrameworkConstants.AUTHENTICATED_USER);
            AuthenticatedUser authenticatedUser = new AuthenticatedUser();
            if (property instanceof AuthenticatedUser) {
                authenticatedUser = (AuthenticatedUser) property;
            }
            FrameworkUtils.publishSessionEvent(authenticationContext.getSessionIdentifier(), httpServletRequest, authenticationContext, sessionContextFromCache, authenticatedUser, FrameworkConstants.AnalyticsAttributes.SESSION_TERMINATE);
        }
        if (sessionContextFromCache != null && StringUtils.isNotBlank(authenticationContext.getSessionIdentifier()) && sessionContextFromCache.getSessionAuthHistory() != null && sessionContextFromCache.getSessionAuthHistory().getHistory() != null) {
            Iterator<AuthHistory> it = sessionContextFromCache.getSessionAuthHistory().getHistory().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if ("SAMLSSOAuthenticator".equals(it.next().getAuthenticatorName())) {
                    try {
                        UserSessionStore.getInstance().removeFederatedAuthSessionInfo(authenticationContext.getSessionIdentifier());
                        break;
                    } catch (UserSessionException e) {
                        throw new FrameworkException("Error while deleting federated authentication session details for the session context key :" + authenticationContext.getSessionIdentifier(), (Throwable) e);
                    }
                }
            }
        }
        FrameworkUtils.removeSessionContextFromCache(authenticationContext.getSessionIdentifier(), authenticationContext.getLoginTenantDomain());
        if (IdentityTenantUtil.isTenantedSessionsEnabled()) {
            FrameworkUtils.removeAuthCookie(httpServletRequest, httpServletResponse, authenticationContext.getLoginTenantDomain());
        } else {
            FrameworkUtils.removeAuthCookie(httpServletRequest, httpServletResponse);
        }
        if (authenticationContext.isPreviousSessionFound()) {
            if (authenticationContext.getCurrentStep() == 0) {
                authenticationContext.setCurrentStep(1);
            }
            int size = sequenceConfig.getStepMap().size();
            while (authenticationContext.getCurrentStep() <= size) {
                int currentStep = authenticationContext.getCurrentStep();
                StepConfig stepConfig = sequenceConfig.getStepMap().get(Integer.valueOf(currentStep));
                AuthenticatorConfig authenticatedAutenticator = stepConfig.getAuthenticatedAutenticator();
                if (authenticatedAutenticator == null) {
                    authenticatedAutenticator = sequenceConfig.getAuthenticatedReqPathAuthenticator();
                }
                ApplicationAuthenticator applicationAuthenticator = authenticatedAutenticator.getApplicationAuthenticator();
                String authenticatedIdP = stepConfig.getAuthenticatedIdP();
                if ((authenticatedIdP == null || "null".equalsIgnoreCase(authenticatedIdP) || authenticatedIdP.isEmpty()) && sequenceConfig.getAuthenticatedReqPathAuthenticator() != null) {
                    authenticatedIdP = "LOCAL";
                }
                try {
                    ExternalIdPConfig idPConfigByName = ConfigurationFacade.getInstance().getIdPConfigByName(authenticatedIdP, authenticationContext.getTenantDomain());
                    authenticationContext.setExternalIdP(idPConfigByName);
                    authenticationContext.setAuthenticatorProperties(FrameworkUtils.getAuthenticatorPropertyMapFromIdP(idPConfigByName, applicationAuthenticator.getName()));
                    if (authenticatedAutenticator.getAuthenticatorStateInfo() != null) {
                        authenticationContext.setStateInfo(authenticatedAutenticator.getAuthenticatorStateInfo());
                    } else {
                        authenticationContext.setStateInfo(getStateInfoFromPreviousAuthenticatedIdPs(authenticatedIdP, authenticatedAutenticator.getName(), authenticationContext));
                    }
                    process = applicationAuthenticator.process(httpServletRequest, httpServletResponse, authenticationContext);
                    httpServletRequest.setAttribute(FrameworkConstants.RequestParams.FLOW_STATUS, process);
                } catch (IdentityProviderManagementException e2) {
                    log.error("Exception while getting IdP by name", e2);
                } catch (AuthenticationFailedException | LogoutFailedException e3) {
                    throw new FrameworkException("Exception while handling logout request", (Throwable) e3);
                }
                if (process.equals(AuthenticatorFlowStatus.INCOMPLETE)) {
                    return;
                } else {
                    authenticationContext.setCurrentStep(currentStep + 1);
                }
            }
        } else if (authenticationContext.getPreviousAuthenticatedIdPs().size() != 0) {
            for (AuthenticatedIdPData authenticatedIdPData : authenticationContext.getPreviousAuthenticatedIdPs().values()) {
                for (AuthenticatorConfig authenticatorConfig : authenticatedIdPData.getAuthenticators()) {
                    String idpName = authenticatedIdPData.getIdpName();
                    ApplicationAuthenticator applicationAuthenticator2 = authenticatorConfig.getApplicationAuthenticator();
                    String name = applicationAuthenticator2.getName();
                    if (!authenticationContext.isLoggedOutAuthenticator(idpName, name)) {
                        try {
                            try {
                                ExternalIdPConfig idPConfigByName2 = ConfigurationFacade.getInstance().getIdPConfigByName(idpName, authenticationContext.getTenantDomain());
                                authenticationContext.setExternalIdP(idPConfigByName2);
                                authenticationContext.setAuthenticatorProperties(FrameworkUtils.getAuthenticatorPropertyMapFromIdP(idPConfigByName2, name));
                                if (authenticatorConfig.getAuthenticatorStateInfo() != null) {
                                    authenticationContext.setStateInfo(authenticatorConfig.getAuthenticatorStateInfo());
                                } else {
                                    authenticationContext.setStateInfo(getStateInfoFromPreviousAuthenticatedIdPs(idpName, authenticatorConfig.getName(), authenticationContext));
                                }
                                AuthenticatorFlowStatus process2 = applicationAuthenticator2.process(httpServletRequest, httpServletResponse, authenticationContext);
                                httpServletRequest.setAttribute(FrameworkConstants.RequestParams.FLOW_STATUS, process2);
                                if (process2.equals(AuthenticatorFlowStatus.INCOMPLETE)) {
                                    return;
                                } else {
                                    authenticationContext.addLoggedOutAuthenticator(idpName, name);
                                }
                            } catch (IdentityProviderManagementException e4) {
                                log.error("Exception while getting IdP by name", e4);
                            }
                        } catch (AuthenticationFailedException | LogoutFailedException e5) {
                            throw new FrameworkException("Exception while handling logout request", (Throwable) e5);
                        }
                    }
                }
            }
        }
        try {
            authenticationContext.clearLoggedOutAuthenticators();
            sendResponse(httpServletRequest, httpServletResponse, authenticationContext, true);
        } catch (ServletException | IOException e6) {
            throw new FrameworkException(e6.getMessage(), (Throwable) e6);
        }
    }

    protected void sendResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext, boolean z) throws ServletException, IOException {
        String callerPath;
        String callerPath2;
        if (log.isTraceEnabled()) {
            log.trace("Inside sendLogoutResponseToCaller()");
        }
        httpServletRequest.setAttribute(FrameworkConstants.ResponseParams.LOGGED_OUT, Boolean.valueOf(z));
        if (z && !isValidCallerPath(authenticationContext)) {
            if (log.isDebugEnabled()) {
                log.debug("The commonAuthCallerPath param specified in the request does not satisfy the logout return url specified. Therefore directing to the default logout return url.");
            }
            authenticationContext.setCallerPath(getDefaultLogoutReturnUrl());
        }
        try {
            callerPath = FrameworkUtils.buildCallerPathRedirectURL(authenticationContext.getCallerPath(), authenticationContext);
        } catch (URLBuilderException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error occurred while generating redirect URL.", e);
            }
            callerPath = authenticationContext.getCallerPath();
        }
        if (authenticationContext.getCallerSessionKey() != null) {
            httpServletRequest.setAttribute("sessionDataKey", authenticationContext.getCallerSessionKey());
            AuthenticationResult authenticationResult = new AuthenticationResult();
            authenticationResult.setLoggedOut(true);
            SequenceConfig sequenceConfig = authenticationContext.getSequenceConfig();
            if (sequenceConfig != null) {
                authenticationResult.setSaaSApp(sequenceConfig.getApplicationConfig().isSaaSApp());
            }
            if (FrameworkUtils.getCacheDisabledAuthenticators().contains(authenticationContext.getRequestType()) && (httpServletResponse instanceof CommonAuthResponseWrapper) && !((CommonAuthResponseWrapper) httpServletResponse).isWrappedByFramework()) {
                addAuthenticationResultToRequest(httpServletRequest, authenticationResult);
            } else {
                FrameworkUtils.addAuthenticationResultToCache(authenticationContext.getCallerSessionKey(), authenticationResult);
            }
            callerPath2 = FrameworkUtils.appendQueryParamsStringToUrl(callerPath, "sessionDataKey=" + URLEncoder.encode(authenticationContext.getCallerSessionKey(), FrameworkUtils.UTF_8));
        } else {
            callerPath2 = authenticationContext.getCallerPath();
        }
        if (System.getProperty("retainCache") == null) {
            FrameworkUtils.removeAuthenticationContextFromCache(authenticationContext.getContextIdentifier());
        }
        if (log.isDebugEnabled()) {
            log.debug("Sending response back to: " + authenticationContext.getCallerPath() + "...\n" + FrameworkConstants.ResponseParams.LOGGED_OUT + " : " + z + "\nsessionDataKey: " + authenticationContext.getCallerSessionKey());
        }
        httpServletResponse.sendRedirect(callerPath2);
    }

    private void addAuthenticationResultToRequest(HttpServletRequest httpServletRequest, AuthenticationResult authenticationResult) {
        httpServletRequest.setAttribute(FrameworkConstants.RequestAttribute.AUTH_RESULT, authenticationResult);
    }

    private AuthenticatorStateInfo getStateInfoFromPreviousAuthenticatedIdPs(String str, String str2, AuthenticationContext authenticationContext) {
        if (authenticationContext.getPreviousAuthenticatedIdPs() == null || authenticationContext.getPreviousAuthenticatedIdPs().get(str) == null || authenticationContext.getPreviousAuthenticatedIdPs().get(str).getAuthenticators() == null) {
            return null;
        }
        for (AuthenticatorConfig authenticatorConfig : authenticationContext.getPreviousAuthenticatedIdPs().get(str).getAuthenticators()) {
            if (str2.equals(authenticatorConfig.getName())) {
                return authenticatorConfig.getAuthenticatorStateInfo();
            }
        }
        return null;
    }

    private void clearUserSessionData(HttpServletRequest httpServletRequest) {
        Cookie authCookie;
        if (FrameworkServiceDataHolder.getInstance().isUserSessionMappingEnabled() && (authCookie = FrameworkUtils.getAuthCookie(httpServletRequest)) != null) {
            String value = authCookie.getValue();
            String str = null;
            if (value != null) {
                str = DigestUtils.sha256Hex(value);
            }
            if (str != null) {
                ArrayList arrayList = new ArrayList();
                arrayList.add(str);
                UserSessionStore.getInstance().removeTerminatedSessionRecords(arrayList);
            }
        }
    }

    private boolean isValidCallerPath(AuthenticationContext authenticationContext) {
        if (!authenticationContext.getCallerPath().matches("^((https?)://|(www)\\.)?[a-z0-9-]+(\\.[a-z0-9-]+)+([/?].*)?$")) {
            return true;
        }
        if (!StringUtils.isNotBlank(authenticationContext.getRelyingParty())) {
            return !Boolean.valueOf(IdentityUtil.getProperty(ENABLE_VALIDATING_LOGOUT_RETURN_URL_CONFIG)).booleanValue();
        }
        try {
            return authenticationContext.getCallerPath().matches(getRegisteredLogoutReturnUrl(authenticationContext.getRelyingParty(), authenticationContext.getRequestType(), authenticationContext.getTenantDomain()));
        } catch (IdentityApplicationManagementException e) {
            return false;
        }
    }

    private String getRegisteredLogoutReturnUrl(String str, String str2, String str3) throws IdentityApplicationManagementException {
        if ("oidc".equals(str2)) {
            str2 = "oauth2";
        }
        String str4 = ".*";
        ServiceProvider serviceProviderByClientId = ApplicationManagementService.getInstance().getServiceProviderByClientId(str, str2, str3);
        if (serviceProviderByClientId != null && serviceProviderByClientId.getSpProperties() != null) {
            ServiceProviderProperty[] spProperties = serviceProviderByClientId.getSpProperties();
            int length = spProperties.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                ServiceProviderProperty serviceProviderProperty = spProperties[i];
                if (LOGOUT_RETURN_URL_SP_PROPERTY.equals(serviceProviderProperty.getName())) {
                    str4 = serviceProviderProperty.getValue();
                    if (log.isDebugEnabled()) {
                        log.debug("Logout caller path validation is configured for service provider of " + str);
                    }
                } else {
                    i++;
                }
            }
        }
        return str4;
    }

    private String getDefaultLogoutReturnUrl() {
        String property = IdentityUtil.getProperty(DEFAULT_LOGOUT_URL_CONFIG);
        if (StringUtils.isBlank(property)) {
            if (log.isDebugEnabled()) {
                log.debug("The default logout URL is not set in the identity.xml file. Therefore directing to the default logout page of the server.");
            }
            property = "/authenticationendpoint/samlsso_logout.do";
        }
        return property;
    }
}
